Building Your Foundation

Your ethics and compliance program is an ecosystem of moving parts. New laws and regulations, new lines of business, new geographies, mergers and acquisitions become part of a growing enterprise that your compliance ecosystem must support.

Effective compliance programs are able to deftly navigate these complexities because they have built strong foundations that were developed with the nature of the compliance industry in mind.

This section will give you the expert advice and programmatic best practices to ensure the first steps you take to develop your program are in the right direction. Or if your program is more mature, these resources and insights will give you the necessary guidance to course correct and improve your program’s foundation at whichever stage it is in.

For the first time, companies that sustain an FCPA violation are required to perform a root cause analysis and incorporate that information back into the compliance program. Learn how to survive.

In November, 2017, the Justice Department released its new FCPA Corporate Enforcement Policy. Many compliance practitioners have focused on the requirements for obtaining a declination and the discounts in fines and penalties for companies that do not receive a full declination. However, there was other important information every compliance practitioner should pay attention to.

A new area was introduced into compliance programs with the Justice Department’s 2017 Evaluation of Corporate Compliance Programs. For the first time, companies that sustain an FCPA violation are required to perform a root cause analysis and incorporate that information back into the compliance program.

How to Survive

1. Know What a Root Cause Analysis Is

A root cause analysis is a reactive approach to problems. Its purpose is to use problem solving methods to identify the root cause of issues or events. It is based on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the more obvious symptoms.

2. Understand the Difference Between a Root Cause Analysis & an Investigation

In an investigation, the goal is to either prove or disprove an allegation. A root cause analysis should not be structured like an investigation, nor should it follow investigative protocols. In an investigation, you are simply gathering facts, not assessing blame. A root cause analysis takes a step beyond gathering the facts to determine how the compliance failure occurred, or was allowed to occur.

3. Find an Approach that Works for You

Keep in mind – there is no one right or wrong away to perform a root cause analysis. However, there are several known strategies such as the “Five-Whys Approach”, the “Causal Factors Approach” and the “Ishikawa Diagram.” Whichever approach you choose, ensure you apply rigor and do not take shortcuts. Dig, dig and then dig again until you cannot dig any further. At that point, you have determined the root cause and can confidently move onto defining remediation. Do not engage in the “blame game” of simply defaulting to human error. Dig into your polices, procedures and controls to see what led to the compliance failure or allowed it to manifest.

4. Improve Controls, Don’t Just Blame People

Don’t jump to blaming people for bad systems and processes - unless you uncover willful negligence or gross incompetence. Toughen up, admit that it might be your program, remediate it and move forward. Your employees are doing the actual thinking and processing to generate profits for your company. You do not have to stop their activities nor do you have to penalize with discipline. That is part of the reason a root cause analysis can be such a powerful tool. It identifies what led to the failure without any guesswork.